DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is response to communication: response to amendments/arguments filed on 01/26/2026.
Claims 1-20 are currently pending in this application. Claims 1-9 have been withdrawn.
The IDS filed 02/17/2026 has been accepted.
Response to Arguments
Applicant’s arguments have been fully considered but are moot in view of new grounds of rejection. See amended rejection below.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 10-20 are rejected under 35 U.S.C. 103 as being unpatentable over Reddy et al. US Patent Application Publication 2019/0305957 (Reddy), in view of Novotny et al. US Patent Application Publication 2022/0391541 (Novotny), and further in view of Dube et al. US Patent application Publication 2017/0132405 (Dube).
As per claim 10, Reddy teaches a method of verifying a software product using a software- provenance verification service, the method comprising: sending, from a deployment management system to a software- provenance verification service, an indication of the first software product (see paragraph 6 with determining to install software based on trust; paragraph 121 with checking trustworthiness of software; see paragraph 126, 131, and throughout with sending request for trust policy or calling a trust evaluation function utilizing identifier of software); receiving, from the software- provenance verification service, one or more results of a provenance verification of one or more artifacts associated with the first software product (paragraph 132 and throughout with receiving access to trust records); determining whether the first software product satisfies a security policy of a release channel based at least in part on the one or more results of the provenance verification (paragarphs 134-140 with verifying); and in response to the first software product being determined to satisfying the security policy, allowing the first software product to be installed through the release channel, wherein the method is performed using one or more processors (see paragraph 140 with performing action based on trust; see also claim 1, paragraph 6, and throughout wherein action to perform after verification of trust is an install of software.)
Reddy does not explicitly teach storing the one or more results of the provenance verification as a property of the indication of the first software product. However, this would have been inherent, if not obvious to one of ordinary skill in the art. Reddy already teaches receiving access to the provenance information and verifying it, which would imply storing such information as the information is processed. For a more explicit teaching on storing provenance information, see Novotny (paragraph 272 wherein provenance manifest is stored). Novotny further teaches provenance verification of one or more artifacts (see paragraph 90 and throughout).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Reddy with Novotny. One of ordinary skill in the art would have been motivated to perform such an addition to improve security (Paragraph 2 of Novotny).
Although the Reddy combination teaches verifying software-provenance, the combination does not explicitly teach wherein the security policy includes a set of rules associated with the release channel for installing the first software product. However, this would have been obvious. For example, see Dube (paragraphs 35-37, with utilizing a CLF certificate of provenance of the software; see paragraph 37 wherein provenance can be used to ensure items are trustworthy and based on factors such as coming from an approved, change managed environment; code can be installed only if such factors can be demonstrated; see also claim 1 of Dube.)
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Reddy combination with Dube. One of ordinary skill in the art would have been motivated to perform such an addition to increase security by establishing provenance of data and software (paragraph 8 of Dube)
As per claim 11, the Reddy combination teaches wherein the one or more results of the provenance verification service comprise a provenance verifications status which indicates whether the first software product does or does not pass the provenance verification (Reddy paragraph 140 with outputting indication of trustworthiness).
As per claim 12, it would have been obvious over the Reddy combination wherein the one or more results of the provenance verification service further comprise information corresponding to a second software used in the first software product for verification (Novotny paragraph 91 with manifest specifying the software used to perform validation).
As per claim 13, it would have been obvious over the Reddy combination wherein the release channel is selected from a plurality of release channels, and wherein at least two release channels of the plurality of release channels have different security policies (obvious over Novotny; see paragraph 37 with different release builds/versions based on changes; see paragraph 72 wherein verisons are different and different release builds/versions may need a different version validator/security policy.)
As per claim 14, the Reddy combination teaches wherein the security policy requires the first software product to pass the provenance verification (Reddy paragraph 6, 64, and throughout wherein verifications must satisfy policy/criteria).
As per claim 15, it would have been obvious over the Reddy combination wherein the security policy further requires that the first software product does not include a piece of software associated with a specific software license (obvious over Reddy; see paragraph 195 with policies including alerts of particular software licenses; see paragraph 78 with auditing software based on particular licenses; see further paragraph 177 policies including audits of software license requirements and compliances)
As per claim 16, the Reddy combination teaches wherein the first software product is associated with a version (Reddy paragraph 40 wherein software asset may have different versions).
As per claim 17, the Reddy combination teaches in response to the first software product being determined to not satisfy the security policy, not allowing for the first software product to be installed through the release channel (Reddy claim 1 with not installing when trust is not determined).
As per claim 18, it would have been obvious over the Reddy combination wherein the one or more artifacts are retrieved based on one or more bytes of metadata associated with the first software product (obvious over Novotny; see paragraph 90 with providing a list of artifacts; see paragraph 91artifacts manifest file generated from PDB file which has provenance metadata )
Claim 19 is rejected using the same basis of arguments used to reject claim 10 above.
Claim 20 is rejected using the same basis of arguments used to reject claim 11 above.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON KAI YIN GEE whose telephone number is (571)272-6431. The examiner can normally be reached on Monday-Friday 8:30-5:00 PST Pacific.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/JASON K GEE/Primary Examiner, Art Unit 2495